CVE-2023-2744

HIGH

Wedevs WP Erp < 1.12.4 - SQL Injection

Title source: rule
STIX 2.1

Description

The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Exploits (1)

nomisec WORKING POC 1 stars
by pashayogi · poc
https://github.com/pashayogi/CVE-2023-2744

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/435da8a1-9955-46d7-a508-b5738259e731

Scores

CVSS v3 7.2
EPSS 0.2841
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

Status published
Products (1)
wedevs/wp_erp < 1.12.4
Published Jun 27, 2023
Tracked Since Feb 18, 2026